"Fedora 18 will be released at around the same time as Windows 8, and as previously discussed all Windows 8 hardware will be shipping with secure boot enabled by default. [...] We've been working on a plan for dealing with this. It's not ideal, but of all the approaches we've examined we feel that this one offers the best balance between letting users install Fedora while still permitting user freedom." Wait for it... "Our first stage bootloader will be signed with a Microsoft key."

A bit of a weak comparison. If Fedora is to work with secure boot they either have to get a key into all hardware or get their bootloader signed by someone who already is getting a key into all hardware. Microsoft is the only company in the latter camp.

What Fedora is asking Microsoft for a small signature for their bootloader. No Microsoft code is involved.

There will be plenty of hardware which allows secure boot to be disabled, or keys to be replaced, in which case you can go through the trouble of setting things up right yourself. For the sake of novice users however it is useful both that the boot is protected from malware and that Fedora can install without a lot of manual configuration.

Plus, of course, Fedora having secure booting is a good security measure in itself.

A bit of a weak comparison. If Fedora is to work with secure boot they either have to get a key into all hardware or get their bootloader signed by someone who already is getting a key into all hardware. Microsoft is the only company in the latter camp.

...which is only the case due to the brain-dead way Secure Boot has been designed, by Microsoft themselves, to begin with.

What Fedora is asking Microsoft for a small signature for their bootloader. No Microsoft code is involved.

What Fedora ended up having to do is paying Microsoft in order to receive a revocable permission to let their users comfortably run the OS they want on their hardware. Don't you see a problem there ?

There will be plenty of hardware which allows secure boot to be disabled, or keys to be replaced, in which case you can go through the trouble of setting things up right yourself.

Why should users have to fiddle with obscure firmware settings and break their Windows install by swapping the Microsoft key with something else only to get another OS on their computer ? Why couldn't they just insert or connect the OS installation media, add the new signing key to the firmware database when asked with a scary warning if they really want to do so, and get a working dual-boot setup like they do today ?

For the sake of novice users however it is useful both that the boot is protected from malware and that Fedora can install without a lot of manual configuration.

Plus, of course, Fedora having secure booting is a good security measure in itself.

I am not saying that Secure Boot is useless here, only that its core design is terrible, and that Microsoft have consistently refused to fix its flaws in what borders monopoly abuse.

It benefits no one but Microsoft when other OSs have to become their slave in order to keep a sane installation process.

"For the sake of novice users however it is useful both that the boot is protected from malware and that Fedora can install without a lot of manual configuration."

Except now running independent secure boot operating systems is a privilege, with microsoft being the gatekeeper.

"Plus, of course, Fedora having secure booting is a good security measure in itself."

Nobody's arguing this, but the reason "secure boot" is controversial is that microsoft was uniquely positioned to overload the design of secure boot to make it difficult/impossible for independent developers to implement. The rest of us generally don't have the means to get our keys in firmware. Once many of these start to ship, it'll be too late. Independent OS developers won't have any way to make their offerings secure boot compliant on existing hardware. We'll all be literally at the mercy of microsoft to sign our stuff.

A serious problem inherent with the design is that microsoft's key is now going to be on virtually all UEFI hardware, probably even on motherboards people will buy to run linux. This makes microsoft uniquely capable of installing bootloader trojan malware on all our systems at any point in the future. I'm not alleging that MS would knowingly let it happen, but it is not a good security model to have a UEFI standard where one entity controls the rights on all our hardware. God forbid China, US spy agencies, or even maligned hacking groups should get ahold of microsoft's secure boot key.

A properly designed secure boot would be future-proof and allow the owner to approve & reject what operating systems his hardware is allowed to boot *without having to disable secure boot*. Independent developers should not be relegated to 2nd class citizens on consumer hardware.